The Open Web Application Security Project (OWASP) is a worldwide community focusing on improving the security of web applications. One project developed by OWASP is the OWASP Top 10, which is a list of the most serious web application vulnerabilities. Obviously, there are innumerable ways to hack a web application but this list contains the most common and well known vulnerabilities that you should protect your web applications against. Over the next few weeks, I will break down each vulnerability in the top 10 list to help you understand what they are, how they can be exploited, and what you can do to fix them.
The OWASP Project in and of itself is a great tool to learn about the various vulnerabilities that exist in web applications and also how to prevent them. Tools like the WebGoat Project provide a hands-on training environment to learn about the vulnerabilities in the OWASP Top 10. WebGoat also teaches you how to exploit these vulnerabilities by giving you a completely functional Java web application to exploit.
The main take away from the OWASP effort is to promote the integration of secure coding principles into the SDLC of your web applications. This is the only way you can be reasonably assured that your web application is free from vulnerabilities. Security is not a one-time event. It must be a part of your SDLC practiced by everyone. An errant change on one line of your application by a single developer could make your application vulnerable.
My goal is to create awareness of the most critical web application security flaws and point you in the right direction to designing secure web applications. Look for my next article on the OWASP Top 10’s number one vulnerability: Cross Site Scripting.